I’ve made the effort to secure mine and am aware of how the trusted protection module works with keys, Fedora’s Anaconda system, the shim, etc. I’ve seen where some here have mentioned they do not care or enable secure boot. Out of open minded curiosity for questioning my biases, I would like to know if there is anything I’ve overlooked or never heard of. Are you hashing and reflashing with a CH341/Rπ/etc, or is there some other strategy like super serious network isolation?

  • lnxtx@feddit.nl
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    3 months ago

    Keep EFI bootloader off the computer (n+1 copies on a flash drive). Make /boot partition fully encrypted.

    Don’t trust Secure Boot.

    If you can, try the coreboot.

    • Exec
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      3 months ago

      Don’t trust Secure Boot.

      That’s the second best thing as long as you don’t worry about nation state actors (you’re fucked by then anyway). Only requirement is a board/laptop manufacturer with a proper uefi setup (eg ability to set your own keys, not using those “do not use” test keys, etc) - that usually comes with business machines.